I have just completed teaching my 1st ever PreCon training event at the Information Security Summit. Earlier this year I resolved it to make this a reality and present on SQL Server Security. It has been a lot of work, consuming all of my spare time the past four months. Some thoughts in no particular order:
– I had 10 students. I was pleasantly surprised to see that many sign up. When I pitched this idea to my friend Gary Sheehan, CSO of the Information Security Summit over a year ago, we didn’t know if anyone would even show up. We thought there was a hole there between the the SQL Server DBA world and the Security/Compliance/Audit Professional world in terms of training/education but were not sure what it might look like. This was an exercise in throwing something at the wall and see what sticks. I still believe this core tenet of bridging the gap remains valid but the message/content needs fine tuned.
– Attendee break out. I was even further surprised to see that the attendees were about evenly split out between SQL Server DBAs and IT Security/Audit/Compliance Professionals. We had some interesting discussions and I think that was very helpful.
-Gigabyte Brix. My Demo Platform was a Gigabyte Brix ultra mini PC connected via a switch. It sounded like a good idea when I bought it but it was too complicated. I underestimated the complexity of the care and feeding of it. Powerful device but overkill for what I needed it for.
– Separation of Duties. I included a module on Separation of Duties. It wasn’t very well received. Maybe because of after lunch, I’m not sure. The demos were a dismal failure and I gave up and retreated.
-Dress Up. I believe in overdressing a little bit and I wore a tie.
-Printed book. I had the course materials printed and bound into a mini book. It was very well received, with many positive comments on the quality. I also received positive comments from other attendees later on at the Summit itself so I guess it made a splash.
-USB Drive. I also supplied the course materials electronically on a cheap USB drive. Nothing to download. It was also a hit.
-Older versions of SQL Server. One recurring theme we discussed was the prevalence of older versions of SQL Server, even SQL Server 2000 in the real world. I’m not surprised with this. Part of the aim of some of material presented was to use older techniques as a “Stop-Gap” measure to achieve partial compliance.
-ISV / 3rd party applications. Another great discussion item that everyone had horror stories on is that many 3rd party applications are replete with security holes and poor on compliance in general.
-Prize giveaway. This was a big hit and I’m glad it worked out.
-Too much material. We didn’t get through the material and there was too much of it. This course could be a two day class. Some of the attendees even said so.
-Weak Demos. I didn’t spend enough time preparing for Demos and it showed. About half of the demos either were cut short due to failure or time constraints. I will follow Kevin Kline’s advice and Record my demos next time.
-Content balance. The content was too technical for Security/Audit/Compliance professionals. I suspected this might be a problem but didn’t fully realize it until I looked at my audience. By then it was too late. Several comments made indicated a high-level day would be desirable and a deep dive day. That’s really an indication that there’s two different audiences here and that a one size fits all approach cannot and will not work.
-Content focus. The initial focus vector was operational security for SQL Server. I later expanded it to include Regulatory Compliance topics like HIPAA and PCI-DSS and at the last minute added in short modules on SQL Injection and Securing the Platform for completeness. This led to a shotgun approach that lacked cohesion. Trying to please too many people here.
In spite of all of the above. I have to declare this event a victory. This was a major personal and professional goal for me this year and I’m happy to have done it. I also learned a lot doing it. If you attended the event, I appreciate your coming and I hope you learned something.